[SAMATE Home | IntrO TO SAMATE | SARD | SATE | Bugs Framework | Publications | Tool Survey | Resources]
DISCLAIMER: Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology (NIST), nor does it imply that the products are necessarily the best available for the purpose.
By selecting almost any of these links, you will be leaving NIST webspace. We provide these links because they may have information of interest to you. No inferences should be drawn because some sites are referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the assertions presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites.
We also keep a list of all SAMATE Publications and presentations.
Contents
Metrics
Product Evaluation and Surveys
Technical Algorithm Papers
Specific Vulnerabilities
Other Papers
Books
Metrics
- CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2012.
CAS Static Analysis Tool Study - Methodology, Center for Assured Software, National Security Agency, Dec 2011.
- P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing, An Approach to Measuring a System's Attack Surface, Carnegie Mellon University, Technical Report CMU-CS-07-146, August 2007.
- O. H. Alhazmi, Y. K. Malaiya and I. Ray, Security Vulnerabilities in Software Systems A Quantitative Perspective, Colorado State University, IFIP WG 11.3 Working Conference on Data and Applications Security, 2005, August 2005
- Joe Schofield, The Statistically Unreliable Nature of Lines of Code, CrossTalk, 18(4):29-33, April 2005.
- Brian Chess and Katrina Tsipenyuk, A Metric for Evaluating Static Analysis Tools, MetriCon 1.0, Vancouver, August 2006.
Product Evaluation and Surveys
in reverse chronological order
- Booz Allen Hamilton, Software Security Assessment Tools Review, March 2009.
- Martin Johns, Scanstud - Evaluating static analysis tools, May 2008
- R Krishnan, Margaret Nadworny, and Nishil Bharill, Static Analysis for Improving Secure Software Development at Motorola, November 2007
- Redge Bartholomew, Evaluation of Static Source Code Analyzers for Real-Time Embedded Software Development, November 2007
Available in Proc. Static Analysis Workshop II SASII, Ada Letters, April 2008.
- Larry Suto, Analyzing the Effectiveness and Coverage of Web Application Security Scanners, October 2007
- Justin Schuh, Code Scanners: False Sense of Security?, 16 April 2007
- Peter A. Buxbaum, All for one, but not one for all, GCN, March 18, 2007
- Jeff Forristal, Review: Source-Code Assessment Tools Kill Bugs Dead, Secure Enterprise Magazine, Dec. 2005.
- Brian E. Burke, sponsored by Webroot, Securing Enterprise Environments Against Spyware : Benefits of Best-of-Breed Security, November 2005
- Kendra Kratkiewicz, Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code, Master's thesis, Harvard University, Cambridge, MA, 2005, 285 pages.
- Freeland Abbott and Joseph Saur, A Comparison of Code Checker Technologies for Software Vulnerability Evaluation, Code Checkers Project Evaluation Report, Joint Systems Integration Command, 25 April 2005
- Misha Zitser, Richard Lippmann, and Tim Leek, Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code, Proc. FSE-12, ACM SIGSOFT, 2004. DOI 10.1145/1029894.1029911
- Defense Information Systems Agency, Application Security Assessment Tool Market Survey, Version 3.0, July 29, 2004.
- Nick Rutar, Christian B. Almazan, and Jeffrey S. Foster, A Comparison of Bug Finding Tools for Java - The 15th IEEE International Symposium on Software Reliability Engineering (ISSRE'04). Saint-Malo, Bretagne, France. November 2004.
- John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, proc 10th Network and Distributed System Security Symposium (NDSS'03), February 5-7, 2003, San Diego, California. Pages 149-162.
- Ciera Nicole Christopher, Evaluating Static Analysis Frameworks, Carnegie Mellon University, "Analysis of Software Artifacts 17-754", May 10, 2006.
- John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Static Intrusion Prevention, proc 7th Nordic Workshop on Secure IT Systems (Nordsec 2002), November 7-8, 2002, Karlstad, Sweden. Pages 68-84.
Technical Algorithm Papers
alphabetical by author's last name
- Sagar Chaki and Scott Hissam, Certifying the Absence of Buffer Overflows, Technical Note CMU/SEI-2006-TN-030, September 2006.
- Christoph Csaliner and Yannis Smaragdakis, Check 'n' Crash: Combining Static Checking and Testing, in Proceedings of 27th international conference on software engineering, May 15-21, 2005.
- David Hovemeyer and William Pugh. Finding Bugs is Easy, in SIGPLAN Notices (Proceedings of Onward! at OOPSLA 2004), December, 2004
- Holger Peine, Rules of Thumb for Secure Software Engineering, in Proceedings of 27th International Conference on Software Engineering (ICSM), May 15-21, 2005.
- Marco Pistoia, Satish Chandra, Stephen J. Fink, and Eran Yahaz, A survey of static analysis methods for identifying security vulnerabilities in software systems, IBM Systems Journal, 46(2):265-288, April-June 2007.
- Donald J. Reifer, Protecting Yourself Against Malicious Code in COTS, Systems & Software Technology Conference, 18 - 21 April 2005, Salt Lake City, UT
- Alexander Ivanov Sotirov, Automatic vulnerability detection static source code analysis, A Master's degree Thesis, 2005
- David Wagner, Jeffrey Foster, Eric Brewer, Alexander Aiken, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, in Proceedings of the Network and Distributed Security Symposium, Feb. 2000.
Specific Vulnerabilities
- Lwin Khin Shar and Hee Beng Kuan Tan, Defeating SQL Injection, IEEE Computer, 46(3), pages 69-77, March 2013.
- Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote, Detection and prevention of stack buffer overflow attacks, CACM, 48(11), pages 50-56, November 2005.
- Robert H. B. Netzer and Barton P. Miller, What Are Race Conditions? Some Issues and Formalization, University of Wisconsin - Madison, 1992.
Other Papers
- Unforgivable Vulnerabilities, Steve Christey, 2007.
- Cyber Security: A Crisis of Prioritization, PITAC, 2005.
- OWASP Development Guide, OWASP, accessed 29 August 2012.
- David A. Wheeler, Secure Programming for Linux and UNIX HOWTO, Version 3.010, March 3, 2003.
- Christian Collberg, Clark Thomborson, and Douglas Low, A Taxonomy of Obfuscating Transformations, Technical Report #148, Department of Computer Sciences, The University of Auckland, July 1997.
- Nancy G. Leveson, High-Pressure Steam Engines and Computer Software, keynote talk , International Conference on Software Engineering, Melbourne, Australia, May 1992. A shortened version appeared in IEEE Computer, October 1994.
Books